
<!DOCTYPE HTML>
<html lang="" >
    <head>
        <meta charset="UTF-8">
        <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
        <title>日志操作 · GitBook</title>
        <meta http-equiv="X-UA-Compatible" content="IE=edge" />
        <meta name="description" content="">
        <meta name="generator" content="GitBook 3.2.3">
        
        
        
    
    <link rel="stylesheet" href="gitbook/style.css">

    
            
                
                <link rel="stylesheet" href="gitbook/gitbook-plugin-highlight/website.css">
                
            
                
                <link rel="stylesheet" href="gitbook/gitbook-plugin-search/search.css">
                
            
                
                <link rel="stylesheet" href="gitbook/gitbook-plugin-fontsettings/website.css">
                
            
        

    

    
        
    
        
    
        
    
        
    
        
    
        
    

        
    
    
    <meta name="HandheldFriendly" content="true"/>
    <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no">
    <meta name="apple-mobile-web-app-capable" content="yes">
    <meta name="apple-mobile-web-app-status-bar-style" content="black">
    <link rel="apple-touch-icon-precomposed" sizes="152x152" href="gitbook/images/apple-touch-icon-precomposed-152.png">
    <link rel="shortcut icon" href="gitbook/images/favicon.ico" type="image/x-icon">

    
    <link rel="next" href="ldap-pian/README.md" />
    
    
    <link rel="prev" href="10. 混淆.html" />
    

    </head>
    <body>
        
<div class="book">
    <div class="book-summary">
        
            
<div id="book-search-input" role="search">
    <input type="text" placeholder="Type to search" />
</div>

            
                <nav role="navigation">
                


<ul class="summary">
    
    

    

    
        
        
    
        <li class="chapter " data-level="1.1" data-path="./">
            
                <a href="./">
            
                    
                    前言
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.2" data-path="kerberos/README.md">
            
                <span>
            
                    
                    基础篇
            
                </a>
            

            
            <ul class="articles">
                
    
        <li class="chapter " data-level="1.2.1" data-path="2. 基础.html">
            
                <a href="2. 基础.html">
            
                    
                    基础知识
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.2.2" data-path="3. 脚本编写与执行.html">
            
                <a href="3. 脚本编写与执行.html">
            
                    
                    脚本编写与执行
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.2.3" data-path="4. Scoket网络编程.html">
            
                <a href="4. Scoket网络编程.html">
            
                    
                    Scoket网络编程
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.2.4" data-path="5. 端口扫描与服务爆破.html">
            
                <a href="5. 端口扫描与服务爆破.html">
            
                    
                    端口扫描与服务爆破
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.2.5" data-path="6. 多线程.html">
            
                <a href="6. 多线程.html">
            
                    
                    多线程
            
                </a>
            

            
        </li>
    

            </ul>
            
        </li>
    
        <li class="chapter " data-level="1.3" data-path="ntlm-pian/README.md">
            
                <span>
            
                    
                    进阶篇
            
                </a>
            

            
            <ul class="articles">
                
    
        <li class="chapter " data-level="1.3.1" data-path="7. WMI对象操作.html">
            
                <a href="7. WMI对象操作.html">
            
                    
                    WMI&dot-net对象操作
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.3.2" data-path="8. Win32API.html">
            
                <a href="8. Win32API.html">
            
                    
                    Win32API
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.3.3" data-path="9. Dll注入&shellcode注入&exe注入.html">
            
                <a href="9. Dll注入&shellcode注入&exe注入.html">
            
                    
                    注入操作
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.3.4" data-path="10. 混淆.html">
            
                <a href="10. 混淆.html">
            
                    
                    混淆
            
                </a>
            

            
        </li>
    
        <li class="chapter active" data-level="1.3.5" data-path="11. 日志操作.html">
            
                <a href="11. 日志操作.html">
            
                    
                    日志操作
            
                </a>
            

            
        </li>
    

            </ul>
            
        </li>
    
        <li class="chapter " data-level="1.4" data-path="ldap-pian/README.md">
            
                <span>
            
                    
                    应用篇
            
                </a>
            

            
            <ul class="articles">
                
    
        <li class="chapter " data-level="1.4.1" data-path="12. 实例使用场景.html">
            
                <a href="12. 实例使用场景.html">
            
                    
                    实例使用场景
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.4.2" data-path="13. Framework.html">
            
                <a href="13. Framework.html">
            
                    
                    Framework
            
                </a>
            

            
        </li>
    

            </ul>
            
        </li>
    

    

    <li class="divider"></li>

    <li>
        <a href="https://www.gitbook.com" target="blank" class="gitbook-link">
            Published with GitBook
        </a>
    </li>
</ul>


                </nav>
            
        
    </div>

    <div class="book-body">
        
            <div class="body-inner">
                
                    

<div class="book-header" role="navigation">
    

    <!-- Title -->
    <h1>
        <i class="fa fa-circle-o-notch fa-spin"></i>
        <a href="." >日志操作</a>
    </h1>
</div>




                    <div class="page-wrapper" tabindex="-1" role="main">
                        <div class="page-inner">
                            
<div id="book-search-results">
    <div class="search-noresults">
    
                                <section class="normal markdown-section">
                                
                                <h1 id="powershell11-powershell&#x4E0E;&#x4E8B;&#x4EF6;&#x65E5;&#x5FD7;">powershell(11)-Powershell&#x4E0E;&#x4E8B;&#x4EF6;&#x65E5;&#x5FD7;</h1>
<p>&#x5728;&#x6E17;&#x900F;&#x7684;&#x8FC7;&#x7A0B;&#x4E2D;&#xFF0C;&#x6211;&#x4EEC;&#x96BE;&#x514D;&#x9047;&#x5230;&#x6709;&#x5220;&#x9664;&#x65E5;&#x5FD7;&#x7684;&#x9700;&#x6C42;&#xFF0C;&#x6BD4;&#x5982;&#x6211;&#x4EEC;&#x505A;&#x4E86;&#x67D0;&#x4E9B;&#x64CD;&#x4F5C;&#x662F;&#x5FC5;&#x987B;&#x8981;&#x8FDB;&#x884C;&#x65E5;&#x5FD7;&#x7684;&#x5220;&#x9664;&#xFF0C;&#x540C;&#x65F6;&#x4F5C;&#x4E3A;&#x7CFB;&#x7EDF;&#x7BA1;&#x7406;&#x5458;&#x4E5F;&#x662F;&#x5FC5;&#x987B;&#x638C;&#x63E1;&#x65E5;&#x5FD7;&#x7684;&#x64CD;&#x4F5C;&#x4E0E;&#x5907;&#x4EFD;&#x7B49;&#x7B49;&#x624D;&#x80FD;&#x5728;&#x9047;&#x5230;&#x4E8B;&#x4EF6;&#x540E;&#x7684;&#x7B2C;&#x4E00;&#x65F6;&#x95F4;&#x5B9A;&#x4F4D;&#x653B;&#x51FB;&#x548C;&#x4FEE;&#x590D;&#x65B9;&#x6848;&#x7684;&#x63D0;&#x51FA;&#x3002;&#x6211;&#x4EEC;&#x4E0B;&#x9762;&#x6765;&#x770B;&#x770B;Powershell&#x5728;Windows&#x4E8B;&#x4EF6;&#x65E5;&#x5FD7;&#x4E2D;&#x7684;&#x8868;&#x73B0;&#x3002;</p>
<h3 id="cmdlet">CmdLet</h3>
<p><strong>Powershell Version 2.0</strong></p>
<p>&#x5173;&#x4E8E;PowershellV2&#x7684;&#x5173;&#x4E8E;&#x65E5;&#x5FD7;&#x7684;CmdLet&#x6709;&#x4E0B;&#x9762;&#x7684;&#x547D;&#x4EE4;&#xFF0C;&#x7ED9;&#x5927;&#x5BB6;&#x51C6;&#x5907;&#x4E86;&#x5B98;&#x65B9;&#x7684;&#x6587;&#x6863;&#xFF0C;&#x53EF;&#x4EE5;&#x81EA;&#x884C;&#x7814;&#x7A76;&#x3002;</p>
<ul>
<li><a href="https://docs.microsoft.com/zh-cn/powershell/module/Microsoft.PowerShell.Management/Clear-EventLog?view=powershell-3.0" target="_blank">Clear-EventLog</a></li>
<li><a href="https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1" target="_blank">Get-EventLog</a></li>
<li><a href="https://docs.microsoft.com/zh-cn/powershell/module/Microsoft.PowerShell.Diagnostics/Get-WinEvent?view=powershell-3.0" target="_blank">Get-WinEvent</a></li>
<li><a href="https://docs.microsoft.com/zh-cn/powershell/module/Microsoft.PowerShell.Management/Limit-EventLog?view=powershell-3.0" target="_blank">Limit-EventLog</a></li>
<li><a href="https://docs.microsoft.com/zh-cn/powershell/module/Microsoft.PowerShell.Management/New-EventLog?view=powershell-3.0" target="_blank">New-EventLog</a></li>
<li><a href="https://docs.microsoft.com/zh-cn/powershell/module/Microsoft.PowerShell.Management/Remove-EventLog?view=powershell-3.0" target="_blank">Remove-EventLog</a></li>
<li><a href="https://docs.microsoft.com/zh-cn/powershell/module/Microsoft.PowerShell.Management/Show-EventLog?view=powershell-3.0" target="_blank">Show-EventLog</a></li>
<li><a href="https://docs.microsoft.com/zh-cn/powershell/module/Microsoft.PowerShell.Management/Write-EventLog?view=powershell-3.0" target="_blank">Write-EventLog</a></li>
</ul>
<h3 id="&#x5E38;&#x89C1;&#x7684;&#x65E5;&#x5FD7;&#x64CD;&#x4F5C;">&#x5E38;&#x89C1;&#x7684;&#x65E5;&#x5FD7;&#x64CD;&#x4F5C;</h3>
<p>&#x4E0B;&#x9762;&#x4ECB;&#x7ECD;&#x4E00;&#x4E0B;Powershell&#x4E2D;&#x5E38;&#x89C1;&#x7684;&#x4E8B;&#x4EF6;&#x65E5;&#x5FD7;&#x64CD;&#x4F5C;</p>
<h4 id="&#x5217;&#x51FA;&#x4E8B;&#x4EF6;&#x65E5;&#x5FD7;&#x5217;&#x8868;">&#x5217;&#x51FA;&#x4E8B;&#x4EF6;&#x65E5;&#x5FD7;&#x5217;&#x8868;</h4>
<pre><code class="lang-powershell"><span class="hljs-built_in">Get-Eventlog</span> -List
</code></pre>
<p><img src="https://raw.githubusercontent.com/myoss114/oss/master/uPic/log/1510895065732.png" alt="Alt text"></p>
<h4 id="&#x67E5;&#x770B;security&#x65E5;&#x5FD7;">&#x67E5;&#x770B;security&#x65E5;&#x5FD7;</h4>
<pre><code class="lang-powershell"><span class="hljs-built_in">Get-Eventlog</span> -LogName security
</code></pre>
<p><img src="https://raw.githubusercontent.com/myoss114/oss/master/uPic/log/1510895162316.png" alt="Alt text"></p>
<h4 id="&#x5217;&#x51FA;&#x6700;&#x8FD1;&#x65E5;&#x5FD7;">&#x5217;&#x51FA;&#x6700;&#x8FD1;&#x65E5;&#x5FD7;</h4>
<pre><code class="lang-powershell"> <span class="hljs-built_in">Get-EventLog</span> -LogName security -Newest <span class="hljs-number">5</span>
</code></pre>
<p><img src="https://raw.githubusercontent.com/myoss114/oss/master/uPic/log/1510895671895.png" alt="Alt text"></p>
<h4 id="&#x5217;&#x51FA;&#x6307;&#x5B9A;&#x65F6;&#x95F4;&#x6BB5;&#x5185;&#x7684;&#x65E5;&#x5FD7;">&#x5217;&#x51FA;&#x6307;&#x5B9A;&#x65F6;&#x95F4;&#x6BB5;&#x5185;&#x7684;&#x65E5;&#x5FD7;</h4>
<pre><code class="lang-powershell"> <span class="hljs-built_in">Get-EventLog</span> -LogName security -After <span class="hljs-number">2017</span>-<span class="hljs-number">11</span>-<span class="hljs-number">15</span> -Before <span class="hljs-number">2017</span>-<span class="hljs-number">11</span>-<span class="hljs-number">17</span>
</code></pre>
<p><img src="https://raw.githubusercontent.com/myoss114/oss/master/uPic/log/1510895914819.png" alt="Alt text"></p>
<h4 id="&#x6839;&#x636E;&#x4E8B;&#x4EF6;id&#x5217;&#x51FA;&#x65E5;&#x5FD7;">&#x6839;&#x636E;&#x4E8B;&#x4EF6;ID&#x5217;&#x51FA;&#x65E5;&#x5FD7;</h4>
<pre><code class="lang-powershell"> <span class="hljs-built_in">Get-EventLog</span> -LogName security -InstanceId <span class="hljs-number">4624</span>
</code></pre>
<p><img src="https://raw.githubusercontent.com/myoss114/oss/master/uPic/log/1510896070185.png" alt="Alt text"></p>
<h4 id="&#x83B7;&#x53D6;&#x67D0;&#x4E00;&#x6761;&#x4E8B;&#x4EF6;&#x65E5;&#x5FD7;">&#x83B7;&#x53D6;&#x67D0;&#x4E00;&#x6761;&#x4E8B;&#x4EF6;&#x65E5;&#x5FD7;</h4>
<p>&#x901A;&#x8FC7;index&#x83B7;&#x53D6;&#xFF1A;</p>
<pre><code class="lang-powershell"><span class="hljs-built_in">Get-EventLog</span> -LogName system -Index <span class="hljs-number">32324</span>
</code></pre>
<p><img src="https://raw.githubusercontent.com/myoss114/oss/master/uPic/log/1510925814823.png" alt="Alt text"></p>
<p>&#x90A3;&#x4E48;&#x5F53;&#x6211;&#x4EEC;&#x83B7;&#x53D6;&#x5230;&#x4E00;&#x6761;&#x65E5;&#x5FD7;&#x4E4B;&#x540E;&#x6211;&#x4EEC;&#x5C31;&#x628A;&#x4ED6;&#x5B8C;&#x5168;&#x770B;&#x4F5C;&#x662F;&#x4E00;&#x4E2A;&#x5BF9;&#x8C61;&#x4E86;&#xFF0C;&#x6211;&#x4EEC;&#x76F4;&#x63A5;&#x5BF9;&#x5176;&#x64CD;&#x4F5C;&#x5373;&#x53EF;&#xFF0C;&#x4E0B;&#x9762;&#x662F;&#x67E5;&#x770B;&#x65E5;&#x5FD7;&#x7684;&#x4E00;&#x4E9B;&#x5C5E;&#x6027;&#x7684;&#x65B9;&#x6CD5;&#x3002;</p>
<h5 id="&#x67E5;&#x770B;&#x6B64;&#x6761;&#x65E5;&#x5FD7;&#x7684;&#x4E00;&#x4E9B;&#x5C5E;&#x6027;">&#x67E5;&#x770B;&#x6B64;&#x6761;&#x65E5;&#x5FD7;&#x7684;&#x4E00;&#x4E9B;&#x5C5E;&#x6027;</h5>
<pre><code class="lang-powershell"><span class="hljs-variable">$log</span> = <span class="hljs-built_in">Get-EventLog</span> -LogName system -Index <span class="hljs-number">32324</span>
</code></pre>
<ul>
<li>&#x7C7B;&#x578B;</li>
</ul>
<pre><code class="lang-powershell"><span class="hljs-variable">$log</span>.EntryType

<span class="hljs-comment"># Warning</span>
</code></pre>
<ul>
<li>&#x4E8B;&#x4EF6;ID</li>
</ul>
<pre><code class="lang-powershell"><span class="hljs-variable">$log</span>.InstanceId

<span class="hljs-comment"># 1014</span>
</code></pre>
<ul>
<li>&#x65E5;&#x5FD7;&#x6D88;&#x606F;</li>
</ul>
<pre><code class="lang-powershell"><span class="hljs-variable">$log</span>.Message

<span class="hljs-comment"># &#x5728;&#x6CA1;&#x6709;&#x914D;&#x7F6E;&#x7684; DNS &#x670D;&#x52A1;&#x5668;&#x54CD;&#x5E94;&#x4E4B;&#x540E;&#xFF0C;&#x540D;&#x79F0; teredo.ipv6.microsoft.com &#x7684;&#x540D;&#x79F0;&#x89E3;&#x6790;&#x8D85;&#x65F6;&#x3002;</span>
</code></pre>
<ul>
<li>&#x4E8B;&#x4EF6;&#x6E90;</li>
</ul>
<pre><code class="lang-powershell"><span class="hljs-variable">$log</span>.Source
<span class="hljs-comment"># Microsoft-Windows-DNS-Client</span>
</code></pre>
<ul>
<li>&#x65E5;&#x5FD7;&#x4EA7;&#x751F;&#x65F6;&#x95F4;</li>
</ul>
<pre><code class="lang-powershell"><span class="hljs-variable">$log</span>.TimeGenerated

<span class="hljs-comment"># 2017&#x5E74;11&#x6708;17&#x65E5; 21:33:17</span>
</code></pre>
<ul>
<li>&#x4EA7;&#x751F;&#x65E5;&#x5FD7;&#x7684;&#x7528;&#x6237;</li>
</ul>
<pre><code class="lang-powershell"><span class="hljs-variable">$log</span>.UserName

<span class="hljs-comment"># NT AUTHORITY\NETWORK SERVICE</span>
</code></pre>
<h4 id="&#x5220;&#x9664;&#x4E8B;&#x4EF6;&#x65E5;&#x5FD7;">&#x5220;&#x9664;&#x4E8B;&#x4EF6;&#x65E5;&#x5FD7;</h4>
<h5 id="remove-eventlog">Remove-Eventlog</h5>
<p>&#x8FD9;&#x4E2A;cmdlet&#x4F1A;&#x6CE8;&#x9500;&#x6389;&#x4E8B;&#x4EF6;&#x6E90;</p>
<pre><code class="lang-powershell"> Remove-EventLog -LogName security
</code></pre>
<p>&#x4EC5;&#x6CE8;&#x9500;&#x4E8B;&#x4EF6;&#x6E90;&#xFF0C;&#x4E0D;&#x5220;&#x9664;&#x65E5;&#x5FD7;</p>
<p>&#x6CE8;&#x9500;&#x4E8B;&#x4EF6;&#x6E90;&#x540E; app&#x5C06;&#x65E0;&#x6CD5;&#x5199;&#x5165;&#x4E8B;&#x4EF6;&#x65E5;&#x5FD7;</p>
<pre><code class="lang-powershell">Remove-EventLog -Source app
</code></pre>
<h5 id="clear-eventlog">Clear-Eventlog</h5>
<p>&#x8FD9;&#x4E2A;cmdlet&#x4EC5;&#x4F1A;&#x6E05;&#x9664;&#x65E5;&#x5FD7;</p>
<pre><code class="lang-powershell">Clear-Eventlog -LogName security

<span class="hljs-comment"># &#x53EF;&#x4EE5;&#x76F4;&#x63A5;&#x8FDC;&#x7A0B;&#x5220;&#x9664;</span>
Clear-Eventlog -LogName security -computername localhost, Server02
</code></pre>

                                
                                </section>
                            
    </div>
    <div class="search-results">
        <div class="has-results">
            
            <h1 class="search-results-title"><span class='search-results-count'></span> results matching "<span class='search-query'></span>"</h1>
            <ul class="search-results-list"></ul>
            
        </div>
        <div class="no-results">
            
            <h1 class="search-results-title">No results matching "<span class='search-query'></span>"</h1>
            
        </div>
    </div>
</div>

                        </div>
                    </div>
                
            </div>

            
                
                <a href="10. 混淆.html" class="navigation navigation-prev " aria-label="Previous page: 混淆">
                    <i class="fa fa-angle-left"></i>
                </a>
                
                
                <a href="ldap-pian/README.md" class="navigation navigation-next " aria-label="Next page: 应用篇">
                    <i class="fa fa-angle-right"></i>
                </a>
                
            
        
    </div>

    <script>
        var gitbook = gitbook || [];
        gitbook.push(function() {
            gitbook.page.hasChanged({"page":{"title":"日志操作","level":"1.3.5","depth":2,"next":{"title":"应用篇","level":"1.4","depth":1,"path":"ldap-pian/README.md","ref":"ldap-pian/README.md","articles":[{"title":"实例使用场景","level":"1.4.1","depth":2,"path":"12. 实例使用场景.md","ref":"12. 实例使用场景.md","articles":[]},{"title":"Framework","level":"1.4.2","depth":2,"path":"13. Framework.md","ref":"13. Framework.md","articles":[]}]},"previous":{"title":"混淆","level":"1.3.4","depth":2,"path":"10. 混淆.md","ref":"10. 混淆.md","articles":[]},"dir":"ltr"},"config":{"gitbook":"*","theme":"default","variables":{},"plugins":["livereload"],"pluginsConfig":{"livereload":{},"highlight":{},"search":{},"lunr":{"maxIndexSize":1000000,"ignoreSpecialCharacters":false},"sharing":{"facebook":true,"twitter":true,"google":false,"weibo":false,"instapaper":false,"vk":false,"all":["facebook","google","twitter","weibo","instapaper"]},"fontsettings":{"theme":"white","family":"sans","size":2},"theme-default":{"styles":{"website":"styles/website.css","pdf":"styles/pdf.css","epub":"styles/epub.css","mobi":"styles/mobi.css","ebook":"styles/ebook.css","print":"styles/print.css"},"showLevel":false}},"structure":{"langs":"LANGS.md","readme":"README.md","glossary":"GLOSSARY.md","summary":"SUMMARY.md"},"pdf":{"pageNumbers":true,"fontSize":12,"fontFamily":"Arial","paperSize":"a4","chapterMark":"pagebreak","pageBreaksBefore":"/","margin":{"right":62,"left":62,"top":56,"bottom":56}},"styles":{"website":"styles/website.css","pdf":"styles/pdf.css","epub":"styles/epub.css","mobi":"styles/mobi.css","ebook":"styles/ebook.css","print":"styles/print.css"}},"file":{"path":"11. 日志操作.md","mtime":"2020-04-13T09:48:14.584Z","type":"markdown"},"gitbook":{"version":"3.2.3","time":"2020-04-13T09:56:21.455Z"},"basePath":".","book":{"language":""}});
        });
    </script>
</div>

        
    <script src="gitbook/gitbook.js"></script>
    <script src="gitbook/theme.js"></script>
    
        
        <script src="gitbook/gitbook-plugin-livereload/plugin.js"></script>
        
    
        
        <script src="gitbook/gitbook-plugin-search/search-engine.js"></script>
        
    
        
        <script src="gitbook/gitbook-plugin-search/search.js"></script>
        
    
        
        <script src="gitbook/gitbook-plugin-lunr/lunr.min.js"></script>
        
    
        
        <script src="gitbook/gitbook-plugin-lunr/search-lunr.js"></script>
        
    
        
        <script src="gitbook/gitbook-plugin-sharing/buttons.js"></script>
        
    
        
        <script src="gitbook/gitbook-plugin-fontsettings/fontsettings.js"></script>
        
    

    </body>
</html>

